[SOLVED]Error: Need Customer id (OTRS multiple domains)

[BrianYin]

Hello;

I am new to OTRS. We are using two domains in different locations for the agents and customers. I followed the instruction here modifying the config.pm file.
After done that i can search all the customers from agent site. However, i can only login from the customer site by using the first domain account. When i used the account from the second domain, the system said "Need customer ID". why does that happen? how I can solve this problem of Error: Need CustomerID!!!

"ERROR: OTRS-CGI-10 Perl: 5.12.3 OS: MSWin32 Time: Wed Aug 29 17:39:29 2012

Message: Need CustomerID!!!

Traceback (7484):
Module: Kernel::Output::HTML::Layout::CustomerError (v1.381.2.10) Line: 3653
Module: Kernel::Modules::CustomerTicketOverview::Run (v1.4.2.1) Line: 68
Module: Kernel::System::Web::InterfaceCustomer::Run (v1.63) Line: 998
Module: ModPerl::ROOT::ModPerl::Registry::I_3a_Program_20Files_OTRS_OTRS_bin_cgi_2dbin_customer_2epl::handler (unknown version) Line: 49
Module: (eval) (v1.44) Line: 204
Module: ModPerl::RegistryCooker::run (v1.44) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.44) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
"

Thanks in advance for the help!

[crythias]

"I followed instructions and it doesn't work" doesn't help us help you.
If you made changes to Config.pm, show us the Config.pm and the source(s) that told you what to change.

[BrianYin]

#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = '192.168.0.20';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=greatwall,dc=com,dc=cn';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';


#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'XXX';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'XXX';


#CustomerUser
#(customer user database backend and settings)


$Self->{CustomerUser1} = {
Name => 'greatwall_windows_ad',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '192.168.0.20',
BaseDN => 'dc=greatwall,dc=com,dc=cn',
SSCOPE => 'sub',
UserDN =>'XXXX',
UserPw => 'XXXXX',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},

# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix1=> '',
CustomerUserSearchSuffix => '@greatwall.com.cn',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['sn','givenname'],


Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'pager', 1, 1, 'var' ],
[ 'UserDepartment', 'Department', 'Department', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'XXX';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'XXXX';


# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap1} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# UserTable
$Self->{DatabaseUserTable1} = 'users';
$Self->{DatabaseUserTableUserID1} = 'id';
$Self->{DatabaseUserTableUserPW1} = 'pw';
$Self->{DatabaseUserTableUser1} = 'login';


#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
# Remove by Tony
#$Self->{'AuthModule::LDAP::GroupDN'} = 'dc=greatwall,dc=com,dc=cn';
#$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';


# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = ['users',];

# agent data sync against ldap
# Remove by Tony
# $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
# $Self->{'AuthSyncModule::LDAP::Host'} = '10.2.50.100';
# $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'cn=ITS,cn=users,dc=woobest,dc=com';
# $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrsldap,cn=users,dc=woobest,dc=com';
# $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'XXX';
# $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
# UserFirstname => 'givenName',
# UserLastname => 'sn',
# UserEmail => 'mail',
# };

#Created by Brian
#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host2'} = '192.168.52.20';
$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=monitor,dc=greatwall,dc=com,dc=cn';
$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';


#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'XXXX';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'XXXX';


#CustomerUser
#(customer user database backend and settings)


$Self->{CustomerUser2} = {
Name => 'monitor_greatwall_windows_ad',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '192.168.52.20',
BaseDN => 'dc=monitor,dc=greatwall,dc=com,dc=cn',
SSCOPE => 'sub',
UserDN =>'XXXX',
UserPw => 'XXX',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},

# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '@greatwall.com.cn',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['sn','givenname'],


Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'pager', 1, 1, 'var' ],
[ 'UserDepartment', 'Department', 'Department', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'XXXX';
$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'XXXX';


# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap2} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# UserTable
$Self->{DatabaseUserTable2} = 'users';
$Self->{DatabaseUserTableUserID2} = 'id';
$Self->{DatabaseUserTableUserPW2} = 'pw';
$Self->{DatabaseUserTableUser2} = 'login';


#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
# Remove by Tony
#$Self->{'AuthModule::LDAP::GroupDN'} = 'dc=greatwall,dc=com,dc=cn';
#$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';


# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params2'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = ['users',];

[crythias]

Well, that and logs... but here goes.

http://doc.otrs.org/3.1/en/html/auth-ba ... ckend-ldap
viewtopic.php?f=60&t=16543
You're missing
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'sAMAccountName'; (for instance) or UID or DN

and
http://wiki.otterhub.org/index.php?titl ... _customers

CustomerUserSearchSuffix => '@greatwall.com.cn', #may not be correct.
Probably '*' is better. Your error log will tell you exactly what it's trying to search, which is sAMAccountName = loginname@greatwall.com.cn

But that's only section1. section2 is the same thing. all logins will append the suffix and if that's correct for the sAMAccountName, it should work, otherwise ... check your logs and let us know.

[BrianYin]

this is the error piece of logs
By the way, these two domains are parent and child, monitor is child of greatwall. they trust each other.
first is the customer(yinxing) from the first domain, the other(itservice) is from the second domain
+++++++++++++++++++++++++++

[Thu Aug 30 11:18:39 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: yinxing (CN=尹星,OU=软件部,OU=信息中心,OU=长城计算机,DC=greatwall,DC=com,DC=cn) authentication ok (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 11:18:41 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=:yinxing)
[Thu Aug 30 11:18:43 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 1s taken (URL:Action=CustomerTicketOverview;Subaction=MyTickets:yinxing)
[Thu Aug 30 11:18:48 2012][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 10743afa021bf8caff75a91e40b1e321ec.
[Thu Aug 30 11:18:58 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice authentication failed, no LDAP entry found!BaseDN='dc=greatwall,dc=com,dc=cn', Filter='(sAMAccountName=itservice)', (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 11:18:58 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice authentication failed, no LDAP entry found!BaseDN='dc=greatwall,dc=com,dc=cn', Filter='(sAMAccountName=itservice)', (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 11:18:58 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice (CN=itservice,OU=信息中心,OU=长城公司,DC=monitor,DC=greatwall,DC=com,DC=cn) authentication ok (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 11:19:00 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=:itservice)
[Thu Aug 30 11:19:01 2012][Error][Kernel::Output::HTML::Layout::CustomerError][3653] Need CustomerID!!!
[Thu Aug 30 11:19:01 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=MyTickets:itservice)

[crythias]

[Thu Aug 30 11:19:00 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=:itservice)
[Thu Aug 30 11:19:01 2012][Error][Kernel::Output::HTML::Layout::CustomerError][3653] Need CustomerID!!!

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],

does itservice have an attribute of mail?

[BrianYin]

yes, it does. itservice@greatwall.com.cn, in domain monitor.greatwall.com.cn

[crythias]

There's not enough information to troubleshoot, then.
If I had a guess, it would be that itservice exists in both domains, one of which does not have a mail attribute.

[BrianYin]

no, itservice is the only one in monitor domain, what else information do u need ?

[crythias]

I regret I may be unable to provide additional support on this issue.

I also don't know why this is doing this 3 times...
[Thu Aug 30 11:18:58 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice authentication failed, no LDAP entry found!BaseDN='dc=greatwall,dc=com,dc=cn', Filter='(sAMAccountName=itservice)', (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 11:18:58 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice authentication failed, no LDAP entry found!BaseDN='dc=greatwall,dc=com,dc=cn', Filter='(sAMAccountName=itservice)', (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 11:18:58 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice (CN=itservice,OU=信息中心,OU=长城公司,DC=monitor,DC=greatwall,DC=com,DC=cn) authentication ok (REMOTE_ADDR: 127.0.0.1).

Did you modify Defaults.pm?

[BrianYin]

no, i didn't change it ,but this is from default.pm
+++++++++++++++++++++++++++++++++++++++++++

# customer unique id
CustomerKey => 'login',

# customer #
CustomerID => 'customer_id',
CustomerValid => 'valid_id',
CustomerUserListFields => [ 'first_name', 'last_name', 'email' ],

# CustomerUserListFields => ['login', 'first_name', 'last_name', 'customer_id', 'email'],
CustomerUserSearchFields => [ 'login', 'first_name', 'last_name', 'customer_id' ],
CustomerUserSearchPrefix => '*',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['email'],
CustomerUserNameFields => [ 'title', 'first_name', 'last_name' ],
CustomerUserEmailUniqCheck => 1,

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
the reason i guess why the system configration from Agent backend site system configration--framework--frontend::customer auth
in this part there only one host,baseDN,searchuserDN,searchuserpw
does this setting cause the problem?

[crythias]

You may not want to modify SysConfig if the entries are managed in Config.pm. That would indeed be a third entry.

[BrianYin]

i find the logs there have some differences
when it works the BaseDN:domain is DC=greatwall, DC=com,DC=cn
but it fails the BaseDN: domain is dc=greatwall,dc=com,dc=cn
why does that happen?

[Thu Aug 30 20:24:29 2012][Notice][main::_start] Scheduler Service is starting...!
[Thu Aug 30 20:24:30 2012][Notice][main::_start] Scheduler Service start! PID 9596
[Thu Aug 30 20:25:44 2012][Notice][Kernel::System::Web::InterfaceAgent::Run] Response::Agent: 9s taken (URL:Action=AgentDashboard&Subaction=:yinxing)
[Thu Aug 30 20:25:57 2012][Notice][Kernel::System::AuthSession::DB::CheckSessionID] SessionID: '10c8b000fedeebfe2952da2f7cec580170' is invalid!!!
[Thu Aug 30 20:26:05 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: yinxing (CN=尹星,OU=软件部,OU=信息中心,OU=长城计算机,DC=greatwall,DC=com,DC=cn) authentication ok (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 20:26:05 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=:yinxing)
[Thu Aug 30 20:26:06 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 1s taken (URL:Action=CustomerTicketOverview;Subaction=MyTickets:yinxing)
[Thu Aug 30 20:26:09 2012][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 109dead1cf88d7b031621310447dbf1bb4.
[Thu Aug 30 20:26:15 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice authentication failed, no LDAP entry found!BaseDN='dc=greatwall,dc=com,dc=cn', Filter='(sAMAccountName=itservice)', (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 20:26:15 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice authentication failed, no LDAP entry found!BaseDN='dc=greatwall,dc=com,dc=cn', Filter='(sAMAccountName=itservice)', (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 20:26:15 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: itservice (CN=itservice,OU=信息中心,OU=长城公司,DC=monitor,DC=greatwall,DC=com,DC=cn) authentication ok (REMOTE_ADDR: 127.0.0.1).
[Thu Aug 30 20:26:15 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=:itservice)
[Thu Aug 30 20:26:15 2012][Error][Kernel::Output::HTML::Layout::CustomerError][3653] Need CustomerID!!!
[Thu Aug 30 20:26:15 2012][Notice][Kernel::System::Web::InterfaceCustomer::Run] Response::Customer: 0s taken (URL:Action=CustomerTicketOverview;Subaction=MyTickets:itservice)

[crythias]

when it works the BaseDN:domain is DC=greatwall, DC=com,DC=cn
but it fails the BaseDN: domain is dc=greatwall,dc=com,dc=cn
why does that happen?

You're asking about case sensitivity? That's an issue with your ldap provider.

[BrianYin]

Does config setting between parent domain and child domain the same as the two different domains which trust each other?
should it should be different ?

[crythias]

Does config setting between parent domain and child domain the same as the two different domains which trust each other?
should it should be different ?

I don't know. I'm a bit outside what I feel I am able to provide support for on this, on a forum.

I'm concerned about 3 LDAP auth.
I'm curious to know if DC=monitor is considered "below" the BasedDN of DC=greatwall
There are probably a few other things that I'd probably enable logging (code addition?) to address within LDAP.pm for CustomerAuth, to drill down and answer.
What it comes down to is that CustomerID isn't returned because, possibly, itservice is resolved first on greatwall, and it doesn't have a mail attribute.

I could be wrong. This is an environment that is not typical of that which I have provided support on this forum. Could I fix it hands on? Probably, but I don't have enough information to properly address it. (And I'm not entirely certain what information I'd need, but if I had additional debugging, to know what didn't return, that could help.)

[BrianYin]

you are right, the problem is mail account!! Thanks a lot! really appreciate it ! you are the MASTER indeed!!!